The Battle to Protect Confidential Data

Photograph by Kick Smeets/Hollandse Hoogte/Redux

Countries with nuclear aspirations would love to get their hands on Silicon Graphics International’s supercomputer technology, says Franz Aman, the company’s chief marketing officer.

There are export controls to block a sale of such information, of course. But, Aman says, product designs, financial information, and communications with customers are all valuable to someone. A determined rogue state could always try to steal designs by hacking into SGI’s network.

Keeping trade secrets from falling into the wrong hands is therefore a big focus for SGI, which also makes servers. The company uses an array of technology to help do the job, but also resists the temptation of tightening the security screws so much that it undermines productivity. “I could build the most secure network in the world and no one would be able to do their work,” says Dominic Martinelli, SGI’s chief information officer. “So you have to strike a balance.”

Many corporate networks simply aren’t secure enough. Thieves routinely infiltrate them on behalf of unscrupulous businesses, foreign governments, and as part of activist groups seeking to embarrass a company. Last year, for example, foreign hackers stole 24,000 documents related to a weapons system under development by a U.S. defense contractor, according to the Department of Defense. In another case, an individual traced to China stole confidential information from 29 chemical companies and 19 other firms, according to Symantec, the computer security company. Meanwhile, hackers affiliated with the group Anonymous copied sensitive documents from HBGary, a computer security company, and then posted them online.

To get access to corporate networks, thieves use a variety of techniques. Phishing e-mails entice employees to click on links that surreptitiously load malware onto their computers, for instance, opening the door to corporate networks. Then there’s a relatively recent and increasingly common technique known as an Advanced Persistent Threat, a highly sophisticated attack typically aimed at companies and government agencies to obtain high-value information like trade and military secrets. Unlike other hacker attacks that tend to be single, quick guerrilla strikes, these are long-term offenses that can involve a combination of tactics including installing malware and looking for software vulnerabilities. To carry out a successful attack, perpetrators must have an uncommon ability to avoid detection. “If they’re good at getting intellectual property, you won’t even know they were ever there,” said Deb Radcliff, executive editor for the Sans Institute, which trains computer security specialists.

Corporate insiders also pose a major risk. Employees have easy access to confidential information and can steal it ostensibly in the course of doing their jobs. Studies show that workers are far more likely to swipe secrets just before leaving to join another company or starting their own firm. Of those insiders caught taking confidential data, 70 percent did so within a month of submitting their resignation, according to a survey of 700 insider theft cases by CERT, the cybersecurity program at Carnegie Mellon University.

Fremont (Calif.)-based SGI, which has about 1,500 employees in offices around the world, has more than 500 patents and a product portfolio that cost a huge amount of time and money to develop. Customers and partners entrust SGI with sensitive information in their dealings. Some employees have government security clearances so they can work on contracts that require secrecy. In keeping with its security emphasis, SGI has secure conference rooms in its offices that are encased in steel so they can’t be bugged from the outside, the company says. Inside the rooms, employees can make secure phone and video conference calls.

In spite of all of their efforts, Martinelli and Aman say the company finds, on average, one computer a day infected with malware. (Such computers are quarantined and cleaned.) To protect against theft of trade secrets, SGI, like many companies, uses antivirus software and a firewall to protect against malicious intrusions on its network. Information is segregated so that only employees who need access to financial documents, for example, can get them.

The spread of mobile devices in the workplace adds to the complexity. In the past, IT departments kept tight control over the kinds of devices they allowed as a security precaution, since hackers have easier access to mobile devices when they’re used outside the office. Today, however, that control is eroding. At many companies, employees can now bring their personal smartphones and tablets to work. All they have to do is promise to use a password and keep their antivirus software up to date. “CIOs are fighting a losing battle,” Martinelli says of the reluctance by chief information officers to adopt bring-your-own-device-programs, as they are known. “Senior executives want their devices.”

At SGI, the IT department manages mobile devices using a system that, if necessary, tracks their location. If a device is lost, or an employee resigns, corporate data can be erased while personal data like baby photos are retained. As an extra security measure, many companies block certain online services that they consider insecure. But Martinelli prefers to educate workers about the risks rather than filter sites. All online services are allowed with the exception of obviously malicious ones.

Of course, the security measures that make sense to one company don’t necessarily make sense to another, depending on the kind of confidential information it has and the cost of the additional layer of defense. Some companies, for example, use services that automatically encrypt e-mails that contain certain kinds of information so that the recipient has to click on a link and log in to read it. At Riverside HealthCare, a hospital and chain of medical clinics near Chicago, such a system detects when employees enter detailed medical information or Social Security numbers. “If someone said, ’5 milliliters of morphine and the right side of my leg hurts,’ it gets encrypted,” says Erik Devine, chief security officer for Riverside HealthCare.

Other layers of security companies use include document tracking software that logs who accesses particular files; software that monitors when files are copied, altered, or moved without authorization; and services that flag unusual behavior by employees, such as sending large e-mail attachments at 2 a.m.

Still, companies acknowledge that all of their efforts to protect intellectual property do not guarantee an end to leaks. Hackers and rogue employees can still take advantage of security holes if they know where to look. Stopping an employee from photographing product designs or reading secret formulas to an accomplice over the phone is nearly impossible. And no matter what high-tech measures are in place, workers can always just stash documents in their briefcase and walk out the door.

Before it's here, it's on the Bloomberg Terminal.